RE: [security-services] Groups-draft-sstc-solution-profile-soap-02.pdfuploaded

[Michael McIntosh <mikemci@us.ibm.com>]

Scott Cantor <cantor.2@osu.edu> wrote on 02/10/2004
11:34:33 AM:

> >Perhaps there isn't a need for every single authentication mechanism
to
> have
> >its own profile, but we need to make sure we can support these
mechanisms
> >when used with SAML. We are proposing a profile of how WSS can
be used with
> >SAML. 
> 
> Let me clarify my point a little...I'm asking what is special about
securing
> the SAML request/response protocol with WSS as opposed to any other
> SOAP-bound req/resp protocol. I don't see anything specific to SAML
> involved.

I agree that there is a significant subset(superset?)
of what we are talking about that applies generally no matter what authentication
mechanism is used. 

> 
> Secondarily, the SOAP client "profile" as we're calling
it now, is a
> different beast. It's a specific use case in which the SAML protocol
is
> bound to SOAP because all the parties speak it. I see no clear reason
why
> WSS has to be part of that "profile" discussion in the sense
that it's
> orthogonal. Not that it's not applicable or relevant, simply a different
> layer.

Perhaps part of the confusion is, as has been pointing
out previously by Rich Salz and yourself, the lack of consistent use of
the terms profile, binding, and protocol. We are just trying to make sure
that the SAML protocols/bindings/profiles are factored in a way that enables
and appropriately leverages use of WSS in a SOAP Binding/Profile or whatever
you want to call it.

Thanks,
Mike